As a cooperation service providing scheme in which a plurality of apparatuses mutually transmit/receive information to provide one service, there are provided a scheme of directly connecting each apparatus to another apparatus and a scheme of connecting respective apparatuses via a common bus having an identification (ID) conversion function, a log function, and the like. Among these two schemes, in the former scheme of directly connecting each apparatus to another apparatus, it is difficult to verify/audit transmitted/received contents later since there is no point where pieces of information (to be referred to as cooperation information hereinafter) mutually transmitted/received between apparatuses are integrated and managed. Consequently, the latter scheme of connecting respective apparatuses via a common bus having an ID conversion function, a log function, and the like is desired.
Even if IDs for identifying pieces of information held in respective apparatuses are ones for identifying the same information, the IDs themselves are generally different for the respective apparatuses. The ID conversion function is a function of certifying that IDs are ones for identifying the same information even if the IDs themselves are different for respective apparatuses. Note that examples of a scheme for implementing the ID conversion function are a table reference scheme and a function scheme.
For example, as a cooperation service providing technique to which the table reference scheme is applied, there is provided a cooperation service providing technique of implementing cooperation of IDs (that is, transmission/reception of cooperation information) between a plurality of apparatuses by storing a table in advance in a cooperation apparatus which causes the plurality of apparatuses to cooperate with each other, and referring to the table when causing the respective apparatuses to cooperate with each other.
Furthermore, as a cooperation service providing technique to which the function scheme is applied, for example, there is provided a cooperation service providing technique of implementing cooperation of IDs (that is, transmission/reception of cooperation information) between a plurality of apparatuses by decrypting, on a cooperation apparatus, information containing an ID transmitted from one of respective apparatuses to cooperate with each other by using secret information in AES, and then re-converting the information into a code for the other apparatus to transmit it.
In addition, as a cooperation service providing technique to which the function scheme is applied, there is provided a cooperation service providing technique of implementing transmission/reception of cooperation information between respective apparatuses by using a public key cryptosystem for the cooperation information.
As for the public key cryptosystem, a technique called proxy re-encryption will now be described.
A basic model of this technique is formed from five functions (to also be referred to as algorithms hereinafter) of key generation, encryption, decryption, re-encryption key generation, and re-encryption. The key generation function, encryption function, and decryption function are the same as those of the normal public key cryptosystem.
(Key Generation) KeyGen(1k)→(pk, sk)
Upon input of a security parameter 1k, a key generation algorithm KeyGen outputs a set (pk, sk) of a public key pk and a private key sk.
(Encryption) Enc(pkA, m)→CA 
Upon input of a public key pkA of a user A and a message m, an encryption algorithm Enc outputs ciphertext CA destined for the user A.
(Decryption) Dec(skA, CA)→m
Upon input of a private key skA of the user A and the ciphertext CA destined for the user A, a decryption algorithm Dec outputs the message m.
(Re-Encryption Key Generation) ReKeyGen(pkA, skA, pkB, skB)→rkA→B 
Upon input of the public key pkA and private key skA of the user A and a public key pkB and private key skB of a user B, a re-encryption key generation algorithm ReKeyGen outputs a re-encryption key rkA→B.
(Re-Encryption) ReEnc(rkA→B, CA)→CB 
Upon input of the re-encryption key rkA→B and the ciphertext CA destined for the user A, a re-encryption algorithm ReEnc outputs ciphertext CB destined for the user B.
The basic model has been explained. In accordance with a scheme of implementing re-encryption, however, a model in which inputs to functions are different and a model which includes functions and keys in addition to the above-described functions and keys are also considered.
For example, as for the input of the re-encryption key generation algorithm, a model called a non-interactive model which eliminates the need for the private key skB of the user B, and a model in which the re-encryption key rkA→B destined for the user B and a private key skC of a user C are input instead of the private key skA of the user A are considered.
In addition, there are known a model called a unidirectional model in which re-encryption of cyphertext CA→CB can be performed using the re-encryption key rkA→B while inverse conversion of cyphertext CB→CA cannot be performed, and a model called a bidirectional model in which inverse conversion can also be performed. Note that in the bidirectional mode, the re-encryption key rkA→B may also be represented by .
Furthermore, among public key cryptosystems, an ID-based encryption scheme is considered. In this case, the number of function setup operations for master key generation increases, a master key and ID are additionally input to the key generation algorithm KeyGen. In ID-based encryption, the public key pk serves as an ID.
As practical examples of the schemes, there are known schemes described in G. Ateniese, K. Fu, M. Green, S. Hohenberger. Improved Proxy Re-Encryption Schemes with Applications to Secure Distributed Storage. In NDSS'05, 2005, and B. Libert, D. Vergnaud. Tracing Malicious Proxies in Proxy Re-Encryption. In Pairing 2008, 2008, for the unidirectional model, a scheme described in R. Canetti, S. Hohenberger. Chosen-Ciphertext Secure Proxy Re-Encryption. In ACM CCS'07, 2007, for the bidirectional model, and schemes described in M. Green, G. Ateniese. Identity-Based Proxy Re-encryption. In ACN'07, 2007, and T. Matsuo. Proxy Re-encryption Systems for Identity-based Encryption. In Pairing 2007, 2007, the like for ID-based encryption. Note that embodiments refer to a scheme described in Benoit Libert, Damien Vergnaud, “Unidirectional Chosen-Ciphertext Secure Proxy Re-encryption”, Public Key Cryptography 2008, pp. 360-279.
In the above cooperation service providing techniques, however, pieces of cooperation information (that is, IDs) can be linked with each other on the cooperation apparatus, and a process of exchanging cooperation information between respective apparatuses cannot be audited/verified later on the cooperation apparatus.
Problems to be solved by the present invention are to prevent pieces of cooperation information from being linked with each other on a cooperation apparatus, and provide a cooperation service providing system which allows auditing/verification to be performed later on the cooperation apparatus, and a server apparatus.